Virtual Private Networks (VPNs)

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Virtual Private Networks (VPNs)"

Transcription

1 CHAPTER 19 Virtual Private Networks (VPNs) Virtual private network is defined as customer connectivity deployed on a shared infrastructure with the same policies as a private network. The shared infrastructure can leverage a service provider IP, Frame Relay, or ATM backbone, or the Internet. There are three types of VPNs, which align with how businesses and organizations use VPNs Access VPN Provides remote access to a corporate intranet or extranet over a shared infrastructure with the same policies as a private network. Access VPNs enable users to access corporate resources whenever, wherever, and however they require. Access VPNs encompass analog, dial, ISDN, Digital Subscriber Line (DSL), mobile IP, and cable technologies to securely connect mobile users, telecommuters, or branch offices. Intranet VPN Links corporate headquarters, remote offices, and branch offices over a shared infrastructure using dedicated connections. Businesses enjoy the same policies as a private network, including security, quality of service (QoS), manageability, and reliability. Extranet VPN Links customers, suppliers, partners, or communities of interest to a corporate intranet over a shared infrastructure using dedicated connections. Businesses enjoy the same policies as a private network, including security, QoS, manageability, and reliability. Figure 19-1 This figure provides a logical topology view of a VPN. IP Network Internet /IP/FR/ATM VPN Headquarters Home Office Branch Office Telecommuter Virtual Private Networks (VPNs) 19-1

2 Cisco Systems VPNs Cisco Systems VPNs Currently there are no standards outlining the software and hardware components of a VPN. Every vendor that provides a VPN service performs it in a method that is best supported by its own hardware platforms and software applications. The following sections of this chapter discuss the Cisco Systems implementation of VPN services. The Cisco Systems VPN Design Cisco s end-to-end hardware and Cisco IOS software networking products provide sophisticated security for sensitive private transmissions over the public infrastructure, QoS through traffic differentiation, reliability for mission-critical applications, scalability for supporting large bandwidth of data, and comprehensive network management to enable a complete access VPN solution. The following sections discuss how Cisco network access servers (NASs) and routers with Cisco IOS software provide new functionality with virtual dialup services. This functionality is based on the L2F protocol Internet Engineering Task Force (IETF) draft request for comments (RFC). The L2F protocol focuses on providing a standards-based tunneling mechanism for transporting link-layer frames for example, High-Level Data Link Control (HDLC), async Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or PPP Integrated Services Digital Network (ISDN) of higher-layer protocols. Using such tunnels, it is possible to divorce the location of the initial dialup server from the location at which the dialup protocol connection is terminated and the location at which access to the network is provided (usually a corporate gateway). Tunneling Defined A key component of the virtual dialup service is tunneling, a vehicle for encapsulating packets inside a protocol that is understood at the entry and exit points of a given network. These entry and exit points are defined as tunnel interfaces. The tunnel interface itself is similar to a hardware interface, but is configured in software. Figure 19-2 shows the format in which a packet would traverse the network within a tunnel. Figure 19-2 This is an overview of a tunneling packet format. IP/UDP L2F PPP (Data) Carrier Protocol Encapsulating Protocol Passenger Protocol Tunneling involves three types of protocols. The passenger protocol is the protocol being encapsulated; in a dialup scenario, this protocol could be PPP, SLIP, or text dialog. The encapsulating protocol is used to create, maintain, and tear down the tunnel. Cisco supports several encapsulating protocols, including the L2F protocol, which is used for virtual dialup services. The carrier protocol is used to carry the encapsulated protocol; IP is the first carrier protocol used by the L2F protocol because of its robust routing capabilities, ubiquitous support across different media, and deployment within the Internet Internetworking Technology Overview, June 1999

3 Cisco s Virtual Dialup Services No dependency exists between the L2F protocol and IP. In subsequent releases of the L2F functionality, Frame Relay, X.25 virtual circuits (VCs), and Asynchronous Transfer Mode (ATM) switched virtual circuits (SVCs) could be used as a direct Layer 2 carrier protocol for the tunnel. Tunneling has evolved to become one of the key components in defining and using VPNs. Cisco Systems provides virtual dialup service through a telecommuting form of a VPN. Cisco s Virtual Dialup Services The following terms are defined to fully describe the virtual dialup service that Cisco provides in its Cisco IOS software: Remote user The client who is dialing ISDN/Public Switched Telephone Network (PSTN) from either home or a remote location. NAS The telecommuting device that terminates the dialup calls either over analog (basic telephone service) or digital (ISDN) circuits. Internet service provider (ISP) The ISP, which supplies the dialup services, can provide for services itself through the NAS or can deliver the dialup remote user to a designated corporate gateway. gateway The destination router that provides access to the services the remote user is requesting. The services could be a corporation or even another ISP. Remote users (using either asynchronous PPP or ISDN) access the corporate LAN as if they were dialed directly into the corporate gateway, although their physical dialup is through the ISP NAS. Figure 19-2 gives a topological view of how these conventions would be deployed within a virtual dialup service. Cisco s L2F Implementation The key management requirements of service that are provided by Cisco s L2F implementation are as follows: Neither the remote end system nor its corporate hosts should require any special software to use this service in a secure manner. Authentication as provided by dialup PPP, Challenge Handshake Authentication Protocol (CHAP), or Password Authentication Protocol (PAP), including Terminal Access Controller Access Control System Plus (TACACS+) and Remote Authentication Dial-In User Service (RADIUS) solutions, as well as support for smart cards and one-time passwords; the authentication will be manageable by the user independently of the ISP. Addressing will be as manageable as dedicated dialup solutions; the address will be assigned by the remote user s respective corporation, and not by the ISP. Authorization will be managed by the corporation s remote users, as it would be in a direct dialup solution. Accounting will be performed by both the ISP (for billing purposes) and by the user (for chargeback and auditing). These requirements are primarily achieved based on the functionality provided by tunneling the remote user directly to the corporate location using the L2F protocol. In the case of PPP, all Link Control Protocol (LCP) and Network Control Protocol (NCP) negotiations take place at the remote user s corporate location. PPP is allowed to flow from the remote user and terminate at the corporate gateway. Figure 19-3 illustrates this process. Virtual Private Networks (VPNs) 19-3

4 Cisco Systems VPNs Figure 19-3 The remote client establishes a PPP connection with the corporate network to complete the virtual dialup topology. Remote User PSTN PRI NAS ISP/Internet Gateway LAN End-to-End Virtual Dialup Process To illustrate how the virtual dialup service works, the following example describes what might happen when a remote user initiates access. Figure 19-4 gives a step-by-step flow of this end-to-end process. The remote user initiates a PPP connection to an ISP over the PSTN or natively over ISDN. The NAS accepts the connection, and the PPP link is established. (See Figure 19-4, step 1.) 19-4 Internetworking Technology Overview, June 1999

5 Cisco s Virtual Dialup Services Figure 19-4 Eight steps are required for communications between a remote VPN client and a corporate LAN. Gateway 4 Security Server Backbone Infrastructure Remote User ISDN, Basic Telephone Service Cable, Wireless ADSL Home 1 NAS 6 2 Security Server Service Provider 1. Remote user initiates PPP connection, NAS accepts call. 2. NAS identifies remote user. 3. NAS initiates L2F tunnel to desired corporate gateway. 4. gateway authenticates remote user and accepts or declines tunnel. 5. gateway confirms acceptance of call and L2F tunnel. 6. NAS logs acceptance/traffic optional. 7. gateway exchanges PPP negotiations with remote user. IP address can be assigned by corporate gateway at this point. 8. End-to-end data tunneled from remote user and corporate gateway. The ISP authenticates the end system/user using CHAP or PAP. Only the username field is interpreted to determine whether the user requires a virtual dialup service. It is expected that usernames will be structured (for example, or that the ISP will maintain a database mapping users to services. In the case of virtual dialup, the mapping will name a specific endpoint, the corporate gateway. At the time of the first release, this endpoint is the IP address of the corporate gateway known to the public ISP network. (See Figure 19-4, step 2.) Note that if permitted by the organization s security policy, the authorization of the dial-in user at the NAS can be performed only on a domain name within the username field and not on every individual username. This setup can substantially reduce the size of the authorization database. If a virtual dialup service is not required, traditional access to the Internet may be provided by the NAS. All address assignment and authentication would be performed locally by the ISP in this situation. If no tunnel connection currently exists to the desired corporate gateway, one is initiated. The details of such tunnel creation are outside the scope of this specification; L2F requires only that the tunnel media provide point-to-point connectivity. Obvious examples of such media are the User Datagram Virtual Private Networks (VPNs) 19-5

6 Cisco Systems VPNs Protocol (UDP), Frame Relay, ATM, and X.25 VCs. Cisco supports UDP in its first release of the virtual dialup service. Based on UDP using a carrier protocol of IP, any media supporting IP will support the virtual dialup functionality. (See Figure 19-4, step 3.) When the tunnel connection is established, the NAS allocates an unused multiplex ID (MID) and sends a connect indication to notify the corporate gateway of this new dialup session. The MID identifies a particular connection within the tunnel. Each new connection is assigned a MID that is currently unused within the tunnel. The corporate gateway either accepts the connection or rejects it. Rejection may include a reason indication, which may be displayed to the dialup user, after which the call should be disconnected. The initial setup notification may include the authentication information required to allow the corporate gateway to authenticate the user and decide to accept or decline the connection. In the case of CHAP, the setup packet includes the challenge, username, and raw password; for PAP, it includes username and clear text password. The corporate gateway can be configured to use this information to complete its authentication, avoiding an additional cycle of authentication. Note that the authentication takes place at the corporate customer, allowing the corporation to impose its own security and corporate policy on the remote users accessing its network. In this way, the organization does not have to fully trust the authentication that was performed by the ISP. (See Figure 19-4, step 4.) If the corporate gateway accepts the connection, it creates a virtual interface for PPP in a manner analogous to what it would use for a direct-dialed connection. With this virtual interface in place, link-layer frames can pass over this tunnel in both directions. (See Figure 19-4, step 5.) Frames from the remote user are received at the NAS, stripped of any link framing or transparency bytes, encapsulated in L2F, and forwarded over the appropriate tunnel. In the first release, the carrier protocol used by the L2F protocol within the tunnel is IP, requiring the frames to also be encapsulated within IP. The corporate gateway accepts these frames, strips L2F, and processes the frames as normal incoming frames for the appropriate interface and protocol. The virtual interface behaves very much like a hardware interface, except that the hardware in this case is physically located at the ISP NAS. The reverse traffic direction behaves analogously, with the corporate gateway encapsulating the packet in L2F, and the NAS stripping L2F encapsulation before transmitting it out the physical interface to the remote user. In addition, the NAS can optionally log the acceptance of the call and any relevant information with respect to the type of services provided to the remote user, such as duration of call, packets/bytes transferred, and protocol ports accessed. (See Figure 19-4, step 6.) At this point, the connectivity is a point-to-point PPP connection whose endpoints are the remote user s networking application on one end and the termination of this connectivity into the corporate gateway s PPP support on the other. Because the remote user has become simply another dialup client of the corporate gateway access server, client connectivity can now be managed using traditional mechanisms with respect to further authorization, address negotiation, protocol access, accounting, and filtering. (See Figure 19-4, steps 7 and 8.) Because L2F connection notifications for PPP clients contain sufficient information for a corporate gateway to authenticate and initialize its LCP state machine, the remote user is not required to be queried for CHAP authentication a second time, nor is the client required to undergo multiple rounds of LCP negotiation and convergence. These techniques are intended to optimize connection setup and are not intended to circumvent any functions required by the PPP specification Internetworking Technology Overview, June 1999

7 Cisco s Virtual Dialup Services Highlights of Virtual Dialup Service The following sections discuss some of the significant differences between the standard Internet access service and the virtual dialup service with respect to authentication, address allocation, authorization, and accounting. It should be noted that the functionality provided by Cisco s network access servers are intended to provide for both the virtual dialup and traditional dialup services. Authentication/Security In a traditional dialup scenario, the ISP using a NAS in conjunction with a security server follows an authentication process by challenging the remote user for both the username and password. If the remote user passes this phase, the authorization phase can begin. For the virtual dialup service, the ISP pursues authentication to the extent required to discover the user s apparent identity (and by implication, the user s desired corporate gateway). No password interaction is performed at this point. As soon as the corporate gateway is determined, a connection is initiated with the authentication information gathered by the ISP. The corporate gateway completes the authentication by either accepting or rejecting the connection. (For example, the connection is rejected in a PAP request in which the username or password is found to be incorrect.) When the connection is accepted, the corporate gateway can pursue another phase of authentication at the PPP layer. These additional authentication activities are outside the scope of the specification, but might include proprietary PPP extensions or textual challenges carried within a TCP/IP Telnet session. For each L2F tunnel established, L2F tunnel security generates a unique random key to resist spoofing attacks. Within the L2F tunnel, each multiplexed session maintains a sequence number to prevent the duplication of packets. Cisco provides the flexibility of allowing users to implement compression at the client end. In addition, encryption on the tunnel can be done using IP security (IPsec). Authorization When providing a traditional dialup service, the ISP is required to maintain per-user profiles defining the authorization. Thus a security server could interact with the NAS to provide policy-based usage to connecting users, based on their authentication. These policy statements can range from simple source/destination filters for a handful of sites to complex algorithms that determine specific applications, time of day access, and a long list of permitted or denied destinations. This process can become burdensome to the ISP, especially if providing access to remote users on behalf of corporations that require constant change to this policy. In a virtual dialup service, the burden of providing detailed authorization based on policy statements is given directly to the remote user s corporation. By allowing end-to-end connectivity between remote users and their corporate gateway, all authorization can be performed as if the remote users are dialed into the corporate location directly. This setup frees the ISP from having to maintain a large database of individual user profiles based on many different corporations. More importantly, the virtual dialup service becomes more secure for the corporations using it because it allows the corporations to quickly react to changes in their remote user community. Address Allocation For a traditional Internet service, the user accepts that the IP address may be allocated dynamically from a pool of service provider addresses. This model often means that remote users have little or no access to their corporate network s resources because firewalls and security policies deny access to the corporate network from external IP addresses. Virtual Private Networks (VPNs) 19-7

8 Cisco Systems VPNs For the virtual dialup service, the corporate gateway can exist behind the corporate firewall and allocate addresses that are internal (and, in fact, can be RFC 1597 addresses, or non-ip addresses). Because L2F tunnels operate exclusively at the frame layer, the actual policies of such address management are irrelevant to correct virtual dialup service; for all purposes of PPP protocol handling, the dial-in user appears to have connected at the corporate gateway. Accounting The requirement that both the NAS and the corporate gateway provide accounting data can mean that they may count packets, octets, and connection start and stop times. Because virtual dialup is an access service, accounting of connection attempts (in particular, failed connection attempts) is of significant interest. The corporate gateway can reject new connections based on the authentication information gathered by the ISP, with corresponding logging. For cases in which the corporate gateway accepts the connection and then continues with further authentication, the corporate gateway might subsequently disconnect the client. For such scenarios, the disconnection indication back to the ISP can also include a reason. Because the corporate gateway can decline a connection based on the authentication information collected by the ISP, accounting can easily draw a distinction between a series of failed connection attempts and a series of brief successful connections. Without this facility, the corporate gateway must always accept connection requests, and would need to exchange numerous PPP packets with the remote system Internetworking Technology Overview, June 1999

PPPoA Baseline Architecture

PPPoA Baseline Architecture PPPoA Baseline Architecture Document ID: 12914 Contents Introduction Assumption Technology Brief Advantages and Disadvantages of PPPoA Architecture Advantages Disadvantages Implementation Considerations

More information

A device that bridges the wireless link on one side to the wired network on the other.

A device that bridges the wireless link on one side to the wired network on the other. GLOSSARY A Access point Analog Channel ARP ATM ATO A device that bridges the wireless link on one side to the wired network on the other. A circuit-switched communication path intended to carry 3.1 KHz

More information

Cisco PPPoE Baseline Architecture for the Cisco UAC 6400

Cisco PPPoE Baseline Architecture for the Cisco UAC 6400 Cisco PPPoE Baseline Architecture for the Cisco UAC 6400 Document ID: 12915 Contents Introduction Assumption Technology Brief Advantages and Disadvantages of PPPoE Architecture Advantages Disadvantages

More information

PPP over Frame Relay

PPP over Frame Relay The feature allows a router to establish end-to-end Point-to-Point Protocol (PPP) sessions over Frame Relay. Finding Feature Information, page 1 Prerequisites for, page 1 Restrictions for, page 2 Information

More information

Secure VPNs for Enterprise Networks

Secure VPNs for Enterprise Networks Secure Virtual Private Networks for Enterprise February 1999 Secure VPNs for Enterprise Networks This document provides an overview of Virtual Private Network (VPN) concepts using the. Benefits of using

More information

VPN. Agenda VPN VPDN. L84 - VPN and VPDN in IP. Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP)

VPN. Agenda VPN VPDN. L84 - VPN and VPDN in IP. Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP) VPN Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP) Agenda VPN Classical Approach Overview IP Based Solutions IP addresses non overlapping IP addresses overlapping MPLS-VPN VPDN RAS

More information

Cisco 5921 Embedded Services Router

Cisco 5921 Embedded Services Router Data Sheet Cisco 5921 Embedded Services Router The Cisco 5921 Embedded Services Router (ESR) is a Cisco IOS software router application. It is designed to operate on small, low-power, Linux-based platforms

More information

User Guide IP Connect CSD

User Guide IP Connect CSD The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Wireless Maingate AB shall have no liability for any error or damages

More information

Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security

Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security Operating System Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security White Paper Abstract The Microsoft Windows operating system includes technology to secure communications

More information

Server Operating System

Server Operating System Server Operating System White Paper Microsoft Virtual Private Networking: Using Point-to- Point Tunneling Protocol for Low-Cost, Secure, Remote Access Across the Internet 1996 Microsoft Corporation. All

More information

Universal Port Resource Pooling for Voice and Data Services

Universal Port Resource Pooling for Voice and Data Services Universal Port Resource Pooling for Voice and Data Services Feature History Release 12.2(2)XA 12.2(2)XB1 12.2(11)T Description This feature was introduced on the Cisco AS5350 and AS5400. This feature was

More information

Point-to-Point Protocol (PPP) Accessing the WAN Chapter 2

Point-to-Point Protocol (PPP) Accessing the WAN Chapter 2 Point-to-Point Protocol (PPP) Accessing the WAN Chapter 2 ITE I Chapter 6 2006 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Objectives Describe the fundamental concepts of point-to-point serial

More information

RADIUS Tunnel Preference for Load Balancing

RADIUS Tunnel Preference for Load Balancing RADIUS Tunnel Preference for Load Balancing and Fail-Over Finding Feature Information RADIUS Tunnel Preference for Load Balancing and Fail-Over Last Updated: July 18, 2011 The RADIUS Tunnel Preference

More information

Configuring PPP Callback

Configuring PPP Callback Configuring PPP Callback This chapter describes how to configure PPP callback for dial-on-demand routing (DDR). It includes the following main sections: PPP Callback for DDR Overview How to Configure PPP

More information

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Question Number (ID) : 1 (jaamsp_mngnwi-088) You are the administrator for medium-sized network with many users who connect remotely. You have configured a server running Microsoft Windows Server 2003,

More information

Configuring PPP over ATM with NAT

Configuring PPP over ATM with NAT CHAPTER 4 The Cisco Secure Router 520 ADSL-over-POTS and Cisco Secure Router 520 ADSL-over-ISDN routers support Point-to-Point Protocol over Asynchronous Transfer Mode (PPPoA) clients and network address

More information

L2F Case Study Overview

L2F Case Study Overview L2F Case Study Overview Introduction This case study describes how one Internet service provider (ISP) plans, designs, and implements an access virtual private network (VPN) by using Layer 2 Forwarding

More information

6.1. WAN Type. WAN types include the following:

6.1. WAN Type. WAN types include the following: 6.1. WAN Type WAN types include the following: Method Point to Point Circuit Switching Packet Switching Description A point to point connection is a single, pre established path from the customer's network

More information

Configuring Security on the GGSN

Configuring Security on the GGSN CHAPTER 12 This chapter describes how to configure security features on the gateway GPRS support node (GGSN), including Authentication, Authorization, and Accounting (AAA), and RADIUS. IPSec on the Cisco

More information

Data Link Protocols. TCP/IP Suite and OSI Reference Model

Data Link Protocols. TCP/IP Suite and OSI Reference Model Data Link Protocols Relates to Lab. This module covers data link layer issues, such as local area networks (LANs) and point-to-point links, Ethernet, and the Point-to-Point Protocol (PPP). 1 TCP/IP Suite

More information

Configuring L2TP over IPsec

Configuring L2TP over IPsec CHAPTER 62 This chapter describes how to configure L2TP over IPsec on the ASA. This chapter includes the following topics: Information About L2TP over IPsec, page 62-1 Licensing Requirements for L2TP over

More information

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ provides detailed accounting information and flexible

More information

Networking interview questions

Networking interview questions Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected

More information

PPP. Point-to-Point Protocol

PPP. Point-to-Point Protocol PPP Point-to-Point Protocol 1 Introduction One of the most common types of WAN connection is the point-to-point connection. Point-to-point connections are used to connect LANs to service provider WANs,

More information

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions [MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft publishes Open

More information

Cisco 5921 Embedded Services Router

Cisco 5921 Embedded Services Router Data Sheet Cisco 5921 Embedded Services Router The Cisco 5921 Embedded Services Router (ESR) is a Cisco IOS software router. It is designed to operate on small, low-power, Linux-based platforms to extend

More information

Configuring X.25 on ISDN Using AO/DI

Configuring X.25 on ISDN Using AO/DI Configuring X.25 on ISDN Using AO/DI The chapter describes how to configure the X.25 on ISDN using the Always On/Dynamic ISDN (AO/DI) feature. It includes the following main sections: AO/DI Overview How

More information

thus, the newly created attribute is accepted if the user accepts attribute 26.

thus, the newly created attribute is accepted if the user accepts attribute 26. Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements in a user profile, which is stored on the RADIUS

More information

RADIUS Vendor-Proprietary Attributes

RADIUS Vendor-Proprietary Attributes RADIUS Vendor-Proprietary Attributes Last Updated: January 17, 2012 The IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server

More information

RADIUS Attributes Overview and RADIUS IETF Attributes

RADIUS Attributes Overview and RADIUS IETF Attributes RADIUS Attributes Overview and RADIUS IETF Attributes Remote Authentication Dial-In User Service (RADIUS) attributes are used to define specific authentication, authorization, and accounting (AAA) elements

More information

Introduction to WAN Technologies

Introduction to WAN Technologies Introduction to WAN Technologies From DocWiki This article introduces the various protocols and technologies used in wide-area network (WAN) environments. Topics summarized here include point-to-point

More information

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

Ingate Firewall & SIParator Product Training. SIP Trunking Focused Ingate Firewall & SIParator Product Training SIP Trunking Focused Common SIP Applications SIP Trunking Remote Desktop Ingate Product Training Common SIP Applications SIP Trunking A SIP Trunk is a concurrent

More information

Implementing ADSL and Deploying Dial Access for IPv6

Implementing ADSL and Deploying Dial Access for IPv6 Implementing ADSL and Deploying Dial Access for IPv6 Last Updated: July 31, 2012 Finding Feature Information, page 1 Restrictions for Implementing ADSL and Deploying Dial Access for IPv6, page 1 Information

More information

HP VSR1000 Virtual Services Router

HP VSR1000 Virtual Services Router HP VSR1000 Virtual Services Router Layer 2 - WAN Access Configuration Guide Part number: 5998-6023 Software version: VSR1000_HP-CMW710-R0202-X64 Document version: 6W100-20140418 Legal and notice information

More information

Vendor-Proprietary Attribute

Vendor-Proprietary Attribute RADIUS s The IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server and the RADIUS server. However, some vendors have extended

More information

VPN. Virtual Private Network. Mario Baldi. Synchrodyne Networks, Inc. VPN - 1 M.

VPN. Virtual Private Network. Mario Baldi. Synchrodyne Networks, Inc.  VPN - 1 M. VPN Virtual Private Network Mario Baldi Synchrodyne Networks, Inc. http://www.synchrodyne.com/baldi VPN - 1 M. Baldi: see page 2 Nota di Copyright This set of transparencies, hereinafter referred to as

More information

HPE FlexNetwork MSR Router Series

HPE FlexNetwork MSR Router Series HPE FlexNetwork MSR Router Series Comware 7 Layer 2 - WAN Access Configuration Guides Part number: 5998-8783 Software version: CMW710-E0407 Document version: 6W100-20160526 Copyright 2016 Hewlett Packard

More information

Virtual Private Networks

Virtual Private Networks Chapter 12 Virtual Private Networks Introduction Business has changed in the last couple of decades. Companies now have to think about having a global presence, global marketing, and logistics. Most of

More information

HP MSR Router Series. Layer 2 - WAN Access Configuration Guide(V7)

HP MSR Router Series. Layer 2 - WAN Access Configuration Guide(V7) HP MSR Router Series Layer 2 - WAN Access Configuration Guide(V7) Part number: 5998-7721b Software version: CMW710-R0304 Document version: 6PW104-20150914 Legal and notice information Copyright 2015 Hewlett-Packard

More information

bintec R230a R230aw ADSL router with SIP proxy and IPSec

bintec R230a R230aw ADSL router with SIP proxy and IPSec bintec R230a R230aw ADSL router with SIP proxy and IPSec The bintec R230a / R230aw are the successor products of X2301 / X2301w and in addition both models offer the same feature set available in their

More information

RADIUS Tunnel Preference for Load Balancing and Fail-Over

RADIUS Tunnel Preference for Load Balancing and Fail-Over RADIUS Tunnel Preference for Load Balancing and Fail-Over Feature History for RADIUS Tunnel Preference for Load Balancing and Fail-Over Release Modification 12.2(4)T This feature was introduced. 12.2(11)T

More information

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT Hüseyin ÇOTUK Information Technologies hcotuk@etu.edu.tr Ahmet ÖMERCİOĞLU Information Technologies omercioglu@etu.edu.tr Nurettin ERGİNÖZ Master Student

More information

Network Working Group

Network Working Group Network Working Group Request for Comments: 2637 Category: Informational K. Hamzeh Ascend Communications G. Pall Microsoft Corporation W. Verthein 3Com J. Taarud Copper Mountain Networks W. Little ECI

More information

TECHNICAL REPORT. CPE Architecture Recommendations for Access to Legacy Data Networks. DSL Forum TR-032. May 2000

TECHNICAL REPORT. CPE Architecture Recommendations for Access to Legacy Data Networks. DSL Forum TR-032. May 2000 TECHNICAL REPORT DSL Forum TR-032 CPE Architecture Recommendations for Access to Legacy Data s May 2000 Abstract: This document describes four protocol architectures for connecting a remote ADSL termination

More information

Part 5: Link Layer Technologies. CSE 3461: Introduction to Computer Networking Reading: Chapter 5, Kurose and Ross

Part 5: Link Layer Technologies. CSE 3461: Introduction to Computer Networking Reading: Chapter 5, Kurose and Ross Part 5: Link Layer Technologies CSE 3461: Introduction to Computer Networking Reading: Chapter 5, Kurose and Ross 1 Outline PPP ATM X.25 Frame Relay 2 Point to Point Data Link Control One sender, one receiver,

More information

Operation Manual Security. Table of Contents

Operation Manual Security. Table of Contents Table of Contents Table of Contents Chapter 1 802.1x Configuration... 1-1 1.1 802.1x Overview... 1-1 1.1.1 802.1x Standard Overview... 1-1 1.1.2 802.1x System Architecture... 1-1 1.1.3 802.1x Authentication

More information

DHCP Client on WAN Interfaces

DHCP Client on WAN Interfaces DHCP Client on WAN Interfaces First Published: February 25, 2002 Last Updated: September 12, 2008 The DHCP Client on WAN Interfaces feature extends the Dynamic Host Configuration Protocol (DHCP) to allow

More information

Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address

Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address Cisco DSL Router Configuration and Troubleshooting Guide Cisco DSL Router Acting as a PPPoE Client with a Dynamic IP Address Document ID: 71118 Contents Introduction Prerequisites Requirements Components

More information

RADIUS Commands. Cisco IOS Security Command Reference SR

RADIUS Commands. Cisco IOS Security Command Reference SR RADIUS Commands This chapter describes the commands used to configure RADIUS. RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation,

More information

ETSF05/ETSF10 Internet Protocols Network Layer Protocols

ETSF05/ETSF10 Internet Protocols Network Layer Protocols ETSF05/ETSF10 Internet Protocols Network Layer Protocols 2016 Jens Andersson Agenda Internetworking IPv4/IPv6 Framentation/Reassembly ICMPv4/ICMPv6 IPv4 to IPv6 transition VPN/Ipsec NAT (Network Address

More information

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN Issue 1.1 Date 2014-03-14 HUAWEI TECHNOLOGIES CO., LTD. 2014. All rights reserved. No part of this document may be reproduced or

More information

Analysis of VPN Protocols

Analysis of VPN Protocols Analysis of VPN Protocols ECE 646 Final Project Presentation Tamer Mabrouk Touhidur Satiar Overview VPN Definitions Emergence of VPN Concept of Tunneling VPN Classification Comparison of Protocols Customer

More information

Review on protocols of Virtual Private Network

Review on protocols of Virtual Private Network Review on protocols of Virtual Private Network Shaikh Shahebaz 1, Sujay Madan 2, Sujata Magare 3 1 Student, Dept. Of MCA [JNEC College] Cidoco N-6, Aurangabad, Maharashtra, India 2 Student Dept. of MCA

More information

Introduction to Information Technology Turban, Rainer and Potter John Wiley & Sons, Inc. Copyright 2005

Introduction to Information Technology Turban, Rainer and Potter John Wiley & Sons, Inc. Copyright 2005 Introduction to Information Technology Turban, Rainer and Potter John Wiley & Sons, Inc. Copyright 2005 Network and Telecommunications Basics Chapter Outline The telecommunications system Network services

More information

VPN Virtual Private Networks

VPN Virtual Private Networks VPN Virtual Private Networks Mathias Schäfer WS 2003/2004 Overview 2 Overview Why VPNs VPN-use-cases Requirements Security Performance Conclusion Why VPNs 3 Why VPNs In business-solutions VPN-technology

More information

By VPNet Technologies. What s a VPN Anyway? A Virtual Private Networking Primer

By VPNet Technologies. What s a VPN Anyway? A Virtual Private Networking Primer By VPNet Technologies What s a VPN Anyway? A Virtual Private Networking Primer What s a VPN Anyway? What s a VPN Anyway? or The Cloud s Silver Lining Is Your Net 1998 VPNet Technologies Inc. All rights

More information

Telstra Mobile SMS ACCESS MANAGER Technical Guide.

Telstra Mobile SMS ACCESS MANAGER Technical Guide. Telstra Mobile SMS ACCESS MANAGER Technical Guide. Technology solutions that let you do what you do best. www.telstra.com 2 Table of Contents 1. Introduction 4 2. Selection of Access Method 4 3. Access

More information

RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values

RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values RADIUS s and RADIUS Disconnect-Cause Values The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network access server

More information

Inspection of Router-Generated Traffic

Inspection of Router-Generated Traffic Inspection of Router-Generated Traffic The Inspection of Router-Generated Traffic feature allows Context-Based Access Control (CBAC) to inspect traffic that is originated by or destined to the router on

More information

PPPoE Technology White Paper

PPPoE Technology White Paper PPPoE Technology White Paper Keywords: PPP, Ethernet, PPPoE Abstract: Point-to-Point Protocol over Ethernet (PPPoE) provides access to the Internet for hosts on an Ethernet through a remote access device

More information

QoS: Per-Session Shaping and Queuing on LNS

QoS: Per-Session Shaping and Queuing on LNS QoS: Per-Session Shaping and Queuing on LNS First Published: February 28, 2006 The QoS: Per-Session Shaping and Queuing on LNS feature provides the ability to shape (for example, transmit or drop) or queue

More information

aaa max-sessions maximum-number-of-sessions The default value for aaa max-sessions command is platform dependent. Release 15.0(1)M.

aaa max-sessions maximum-number-of-sessions The default value for aaa max-sessions command is platform dependent. Release 15.0(1)M. aaa max-sessions aaa max-sessions To set the maximum number of simultaneous authentication, authorization, and accounting (AAA) connections permitted for a user, use the aaa max-sessions command in global

More information

2001, Cisco Systems, Inc. All rights reserved. Copyright 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.

2001, Cisco Systems, Inc. All rights reserved. Copyright 2001, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID. 3001_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved. 1 Introduction to IP Mobility Session 3001_05_2001_c1 2001, Cisco Systems, Inc. All rights reserved. 3 Agenda IP Mobility Overview Terminology

More information

Data Sheet. NCP Secure Enterprise Linux Client. Next Generation Network Access Technology

Data Sheet. NCP Secure Enterprise Linux Client. Next Generation Network Access Technology Versatile central manageable VPN Client Suite for Linux Central Management and Network Access Control Compatible with VPN gateways (IPsec Standard) Integrated, dynamic personal firewall FIPS Inside Fallback

More information

TSIN02 - Internetworking

TSIN02 - Internetworking Literature: Lecture 10: AAA RFC3286 RFC2881 RFC2905 RFC2903 Lecture 10: AAA Goals: 2004 Image Coding Group, Linköpings Universitet 2 Lecture 10: AAA AAA Introduction Outline: AAA introduction AAA in Network

More information

Table of Contents. Cisco TCP/IP

Table of Contents. Cisco TCP/IP Table of Contents TCP/IP Overview...1 TCP/IP Technology...1 TCP...1 IP...2 Routing in IP Environments...4 Interior Routing Protocols...5 RIP...5 IGRP...6 OSPF...6 Integrated IS IS...6 Exterior Routing

More information

Configuring RTP Header Compression

Configuring RTP Header Compression Configuring RTP Header Compression First Published: January 30, 2006 Last Updated: July 23, 2010 Header compression is a mechanism that compresses the IP header in a packet before the packet is transmitted.

More information

CS519: Computer Networks. Lecture 8: Apr 21, 2004 VPNs

CS519: Computer Networks. Lecture 8: Apr 21, 2004 VPNs : Computer Networks Lecture 8: Apr 21, 2004 VPNs VPN Taxonomy VPN Client Network Provider-based Customer-based Provider-based Customer-based Compulsory Voluntary L2 L3 Secure Non-secure ATM Frame Relay

More information

Configuring PPP over Ethernet with NAT

Configuring PPP over Ethernet with NAT This chapter provides an overview of Point-to-Point Protocol over Ethernet (PPPoE) clients and network address translation (NAT) that can be configured on the Cisco 819, Cisco 860, Cisco 880, and Cisco

More information

Cisco Expressway with Jabber Guest

Cisco Expressway with Jabber Guest Cisco Expressway with Jabber Guest Deployment Guide First Published: Decemeber 2016 Cisco Expressway X8.9 Cisco Jabber Guest Server 10.6.9 (or later) Cisco Systems, Inc. www.cisco.com Contents Preface

More information

Internet. 1) Internet basic technology (overview) 3) Quality of Service (QoS) aspects

Internet. 1) Internet basic technology (overview) 3) Quality of Service (QoS) aspects Internet 1) Internet basic technology (overview) 2) Mobility aspects 3) Quality of Service (QoS) aspects Relevant information: these slides (overview) course textbook (Part H) www.ietf.org (details) IP

More information

MPLS VPN. 5 ian 2010

MPLS VPN. 5 ian 2010 MPLS VPN 5 ian 2010 What this lecture is about: IP CEF MPLS architecture What is MPLS? MPLS labels Packet forwarding in MPLS MPLS VPNs 3 IP CEF & MPLS Overview How does a router forward packets? Process

More information

MPLS in the DCN. Introduction CHAPTER

MPLS in the DCN. Introduction CHAPTER CHAPTER 5 First Published: January 3, 2008 Last Updated: January 3, 2008 Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images Use Cisco Feature Navigator to find information

More information

BCRAN. Section 9. Cable and DSL Technologies

BCRAN. Section 9. Cable and DSL Technologies BCRAN Section 9 Cable and DSL Technologies Cable and DSL technologies have changed the remote access world dramatically. Without them, remote and Internet access would be limited to the 56 kbps typical

More information

TCP/IP Protocol Suite and IP Addressing

TCP/IP Protocol Suite and IP Addressing TCP/IP Protocol Suite and IP Addressing CCNA 1 v3 Module 9 10/11/2005 NESCOT CATC 1 Introduction to TCP/IP U.S. DoD created the TCP/IP model. Provides reliable data transmission to any destination under

More information

VPDN Tunnel Management

VPDN Tunnel Management VPDN Tunnel Management Finding Feature Information VPDN Tunnel Management Last Updated: July 22, 2011 This module contains information about managing virtual private dialup network (VPDN) tunnels and monitoring

More information

DPRO Kimberly K. Hiller, Gerald Arcuri

DPRO Kimberly K. Hiller, Gerald Arcuri Kimberly K. Hiller, Gerald Arcuri Technology Overview 27 August 2003 Routers: Overview Summary Routers continue to evolve with better performance and a larger variety of WAN and LAN options, and security.

More information

Provisioning Broadband Aggregators Topics

Provisioning Broadband Aggregators Topics CHAPTER 7 The Cisco Broadband Access Center software enables you to provision services on broadband aggregators. Provisioning occurs after you create administrative networks and network devices. See Chapter

More information

ip dhcp-client network-discovery through ip nat sip-sbc

ip dhcp-client network-discovery through ip nat sip-sbc ip dhcp-client network-discovery through ip nat sip-sbc ip dhcp-client network-discovery, page 3 ip dhcp-client update dns, page 5 ip dhcp drop-inform, page 8 ip dhcp-relay information option server-override,

More information

Content 1 OVERVIEW HARDWARE DESCRIPTION HARDWARE INSTALLATION PC CONFIGURATION GUIDE... 5 WEB-BASED MANAGEMENT GUIDE...

Content 1 OVERVIEW HARDWARE DESCRIPTION HARDWARE INSTALLATION PC CONFIGURATION GUIDE... 5 WEB-BASED MANAGEMENT GUIDE... Content 1 OVERVIEW...1 1.1FEATURES...1 1.2 PACKETCONTENTS...3 1.3 SYSTEM REQUIREMENTS... 1.4 FACTORY DEFAULTS...4 1.5 WARNINGS AND CAUTIONS...4 2 HARDWARE DESCRIPTION... 6 3 HARDWARE INSTALLATION...8 4

More information

APPLICATION NOTE 710 Dial-Up Networking with the DS80C400 Microcontroller

APPLICATION NOTE 710 Dial-Up Networking with the DS80C400 Microcontroller Maxim > App Notes > MICROCONTROLLERS Keywords: PPP, dial-up networking, embedded networking, DS80C400, DS80C390, TINI, remote sensor, networked sensor, networked microcontroller, network micro May 14,

More information

AAA Authorization and Authentication Cache

AAA Authorization and Authentication Cache AAA Authorization and Authentication Cache First Published: March 16, 2006 Last Updated: March 1, 2006 The AAA Authorization and Authentication Cache feature allows you to cache authorization and authentication

More information

Prestige 660HW Series. Prestige 660H Series. Quick Start Guide

Prestige 660HW Series. Prestige 660H Series. Quick Start Guide Prestige 660HW Series ADSL 2+ 4-Port Gateway with 802.11g Wireless Prestige 660H Series ADSL 2+ 4-Port Gateway Quick Start Guide Version 3.40 01/2005 Table of Contents Introducing the Prestige... 3 1 Hardware

More information

Define TCP/IP and describe its advantages on Windows Describe how the TCP/IP protocol suite maps to a four-layer model

Define TCP/IP and describe its advantages on Windows Describe how the TCP/IP protocol suite maps to a four-layer model [Previous] [Next] Chapter 2 Implementing TCP/IP About This Chapter This chapter gives you an overview of Transmission Control Protocol/Internet Protocol (TCP/IP). The lessons provide a brief history of

More information

User Guide IP Connect GPRS Wireless Maingate

User Guide IP Connect GPRS Wireless Maingate User Guide IP Connect GPRS Wireless Maingate Document number: MG040123 PdM F Date: 2007-10-03 Information class: Open Information Address: Wireless Maingate Box 244 S-371 24 KARLSKRONA Sweden Phone number:

More information

The high-speed services required for these customers and environments include:

The high-speed services required for these customers and environments include: Chapter 7 NETWORK MODELS THE NEED FOR MULTISERVICES technology provides a cost-effective means for service users to gain access from the residence or office to very high-speed network services. transmission

More information

Broadband Access Aggregation and DSL Configuration Guide, Cisco IOS XE Release 3S

Broadband Access Aggregation and DSL Configuration Guide, Cisco IOS XE Release 3S Broadband Access Aggregation and DSL Configuration Guide, Cisco IOS XE Release 3S Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408

More information

TOLLY. Nortel Networks. Contivity Extranet Switch Test Summary. Fast Ethernet-to-Fast Ethernet Layer 2 Tunneling Protocol Throughput

TOLLY. Nortel Networks. Contivity Extranet Switch Test Summary. Fast Ethernet-to-Fast Ethernet Layer 2 Tunneling Protocol Throughput T H E TOLLY G R O U P No. 199104 January 1999 Nortel Networks Contivity Extranet Switch 4000 Fast Ethernet-to-Fast Ethernet Layer 2 Tunneling Protocol Throughput Test Summary Premise: As savvy network

More information

William Stallings Data and Computer Communications 7 th Edition. Chapter 10 Circuit Switching and Packet Switching

William Stallings Data and Computer Communications 7 th Edition. Chapter 10 Circuit Switching and Packet Switching William Stallings Data and Computer Communications 7 th Edition Chapter 10 Circuit Switching and Packet Switching Switching Networks Long distance transmission is typically done over a network of switched

More information

IPsec NAT Transparency

IPsec NAT Transparency sec NAT Transparency First Published: November 25, 2002 Last Updated: March 1, 2011 The sec NAT Transparency feature introduces support for Security (sec) traffic to travel through Network Address Translation

More information

Monitoring Remote Access VPN Services

Monitoring Remote Access VPN Services CHAPTER 5 A remote access service (RAS) VPN secures connections for remote users, such as mobile users or telecommuters. RAS VPN monitoring provides all of the most important indicators of cluster, concentrator,

More information

Configuring H.323 Gatekeepers and Proxies

Configuring H.323 Gatekeepers and Proxies Configuring H.323 Gatekeepers and Proxies This chapter describes how to configure the Cisco Multimedia Conference Manager. The Multimedia Conference Manager provides gatekeeper and proxy capabilities required

More information

TACACS+ Configuration Guide, Cisco IOS XE Release 3S

TACACS+ Configuration Guide, Cisco IOS XE Release 3S Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION

More information

based computing that takes place over the Internet, basically a step on from Utility Computing.

based computing that takes place over the Internet, basically a step on from Utility Computing. REVIEW OF LITERATURE Joseph Davies & Elliot Lewis (2003) In this paper Cloud Computing is a general term used to describe a new class of network based computing that takes place over the Internet, basically

More information

Network Services Internet VPN

Network Services Internet VPN Contents 1. 2. Network Services Customer Responsibilities 3. Network Services General 4. Service Management Boundary 5. Defined Terms Network Services Where the Customer selects as detailed in the Order

More information

Configuring PPP over ATM with NAT

Configuring PPP over ATM with NAT This chapter provides an overview of Point-to-Point Protocol over Asynchronous Transfer Mode (PPPoA) clients and network address translation (NAT) that can be configured on the Cisco 860 and Cisco 880

More information

Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon

Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon Intelligent Services Gateway (ISG) is a Cisco software feature set that provides a structured framework in which

More information

Configuring RTP Header Compression

Configuring RTP Header Compression Header compression is a mechanism that compresses the IP header in a packet before the packet is transmitted. Header compression reduces network overhead and speeds up the transmission of either Real-Time

More information

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications

Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications Cisco Dynamic Multipoint VPN: Simple and Secure Branch-to-Branch Communications Product Overview Cisco Dynamic Multipoint VPN (DMVPN) is a Cisco IOS Software-based security solution for building scalable

More information

Broadband Access Aggregation and DSL Configuration Guide, Cisco IOS Release 12.2SX

Broadband Access Aggregation and DSL Configuration Guide, Cisco IOS Release 12.2SX Broadband Access Aggregation and DSL Configuration Guide, Cisco IOS Release 12.2SX Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel:

More information